eblume/blumeops
1
1
Fork 0
Code Issues Pull requests Projects Releases 83 Packages Wiki Activity Actions
blumeops/containers/shower/default.nix

223 lines
6.8 KiB
Nix
Raw Normal View History

C1: deploy adelaide-baby-shower-app to ringtail k3s Adds the Adelaide / Heidi / Addie baby shower app — a Django guest splash, raffle picker, and prize-assignment console — on ringtail k3s. Public landing at shower.eblu.me (via fly proxy), tailnet admin at shower.ops.eblu.me. App source: forge.eblu.me/eblume/adelaide-baby-shower-app, wheel-published to the Forgejo Packages PyPI index. Manifests under argocd/manifests/shower/: NFS-backed PVC for /app/media, local-path PVC for SQLite, ExternalSecret pulling DJANGO_SECRET_KEY from 1Password (item "Shower (blumeops)"), Tailscale ProxyGroup ingress. Defense-in-depth for the public surface: - /admin/ blocked at the fly edge except /admin/login/ and /admin/logout/ - shower_auth rate limit on the login path - new fail2ban filter+jail with a per-service shower-deny.conf (nginx-deny action generalized to accept nginx_deny_file) - django-axes (5 / 1h) keyed on (username, ip_address) Plus: Caddy route on indri, Pulumi gandi CNAME, Grafana APM dashboard mirroring docs-apm.json, runbook at how-to/operations/shower-app.md, and a service-versions entry. X-Clacks-Overhead set on the new server block — GNU Terry Pratchett. Build: containers/shower/default.nix uses dockerTools to ship a nixpkgs Python plus a startup wrapper that installs the wheel into /app/data/.venv on first boot and execs gunicorn. Lets the wheel come from forge PyPI without pinning hashes for every transitive dep. Prerequisites tracked in the runbook (not yet executed): - NFS share sifaka:/volume1/shower (manual Synology step) - 1Password item "Shower (blumeops)" with secret-key field - container build via `mise run container-build-and-release shower` - Pulumi dns-up after merge - fly certs add shower.eblu.me Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-11 08:14:12 -07:00
# Nix-built shower app container — Adelaide / Heidi / Addie baby shower.
#
# The app is published as a wheel to the Forgejo PyPI index at
C1: bake shower wheel into image; wire borgmatic; refine NFS docs Three follow-ups on the shower deployment branch: 1. containers/shower/default.nix now uses buildPythonPackage to install the adelaide-baby-shower-app wheel + its deps at nix build time. The wheel comes from the forge PyPI index with a pinned SRI hash. The entrypoint no longer does pip-at-boot — it just runs migrations, collectstatic, and execs gunicorn. 2. ansible/roles/borgmatic/defaults/main.yml: - Adds shower to borgmatic_k8s_sqlite_dumps (context k3s-ringtail) so /app/data/db.sqlite3 is dumped via kubectl exec on every run. - Adds /Volumes/shower (sifaka SMB mount on indri) to borgmatic_source_directories so prize-photo media gets archived. 3. NFS share docs corrected to match the real on-sifaka pattern: exports allowlist 192.168.1.0/24 + 100.64.0.0/10 with all_squash to admin (matching frigate/paperless/etc.), not "Squash=No mapping". The pod's runAsUser doesn't need to match an on-disk uid because all_squash rewrites every write to admin:users. Also adds a missing service-versions entry for the tailscale container introduced in PR #347 — pre-existing gap surfaced by the container-version-check hook on this commit. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-11 08:37:12 -07:00
# https://forge.eblu.me/api/packages/eblume/pypi/. The wheel + its
C1: switch shower container to pip-install FOD The buildPythonPackage approach with `propagatedBuildInputs = [ python.pkgs.django ... ]` doesn't work: 1. nixpkgs python314Packages.django still aliases to Django 4.2 LTS, which doesn't support Python 3.14. 2. django-axes from nixpkgs pulls selenium + browser fonts into its check phase, and the nix sandbox can't provide those (fontconfig errors, then build dep tree collapses). Switching to authentik's FOD pattern instead: a single fixed-output derivation that pip-installs the adelaide-baby-shower-app wheel + every transitive dep from forge PyPI into a target dir. FODs get network access in exchange for a pinned output hash, so the closure stays reproducible. outputHash is set to fakeHash for the first build — the runner will print the real hash on failure; a follow-up commit will pin it. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-11 09:00:26 -07:00
# transitive Python deps are baked in at build time via a fixed-output
# derivation that runs `pip install --target` against forge PyPI (proxied
# through pypi.ops.eblu.me for upstream packages). Build runs on the
C1: bake shower wheel into image; wire borgmatic; refine NFS docs Three follow-ups on the shower deployment branch: 1. containers/shower/default.nix now uses buildPythonPackage to install the adelaide-baby-shower-app wheel + its deps at nix build time. The wheel comes from the forge PyPI index with a pinned SRI hash. The entrypoint no longer does pip-at-boot — it just runs migrations, collectstatic, and execs gunicorn. 2. ansible/roles/borgmatic/defaults/main.yml: - Adds shower to borgmatic_k8s_sqlite_dumps (context k3s-ringtail) so /app/data/db.sqlite3 is dumped via kubectl exec on every run. - Adds /Volumes/shower (sifaka SMB mount on indri) to borgmatic_source_directories so prize-photo media gets archived. 3. NFS share docs corrected to match the real on-sifaka pattern: exports allowlist 192.168.1.0/24 + 100.64.0.0/10 with all_squash to admin (matching frigate/paperless/etc.), not "Squash=No mapping". The pod's runAsUser doesn't need to match an on-disk uid because all_squash rewrites every write to admin:users. Also adds a missing service-versions entry for the tailscale container introduced in PR #347 — pre-existing gap surfaced by the container-version-check hook on this commit. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-11 08:37:12 -07:00
# nix-container-builder runner (ringtail, amd64) so the image is native.
C1: deploy adelaide-baby-shower-app to ringtail k3s Adds the Adelaide / Heidi / Addie baby shower app — a Django guest splash, raffle picker, and prize-assignment console — on ringtail k3s. Public landing at shower.eblu.me (via fly proxy), tailnet admin at shower.ops.eblu.me. App source: forge.eblu.me/eblume/adelaide-baby-shower-app, wheel-published to the Forgejo Packages PyPI index. Manifests under argocd/manifests/shower/: NFS-backed PVC for /app/media, local-path PVC for SQLite, ExternalSecret pulling DJANGO_SECRET_KEY from 1Password (item "Shower (blumeops)"), Tailscale ProxyGroup ingress. Defense-in-depth for the public surface: - /admin/ blocked at the fly edge except /admin/login/ and /admin/logout/ - shower_auth rate limit on the login path - new fail2ban filter+jail with a per-service shower-deny.conf (nginx-deny action generalized to accept nginx_deny_file) - django-axes (5 / 1h) keyed on (username, ip_address) Plus: Caddy route on indri, Pulumi gandi CNAME, Grafana APM dashboard mirroring docs-apm.json, runbook at how-to/operations/shower-app.md, and a service-versions entry. X-Clacks-Overhead set on the new server block — GNU Terry Pratchett. Build: containers/shower/default.nix uses dockerTools to ship a nixpkgs Python plus a startup wrapper that installs the wheel into /app/data/.venv on first boot and execs gunicorn. Lets the wheel come from forge PyPI without pinning hashes for every transitive dep. Prerequisites tracked in the runbook (not yet executed): - NFS share sifaka:/volume1/shower (manual Synology step) - 1Password item "Shower (blumeops)" with secret-key field - container build via `mise run container-build-and-release shower` - Pulumi dns-up after merge - fly certs add shower.eblu.me Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-11 08:14:12 -07:00
#
C1: switch shower container to pip-install FOD The buildPythonPackage approach with `propagatedBuildInputs = [ python.pkgs.django ... ]` doesn't work: 1. nixpkgs python314Packages.django still aliases to Django 4.2 LTS, which doesn't support Python 3.14. 2. django-axes from nixpkgs pulls selenium + browser fonts into its check phase, and the nix sandbox can't provide those (fontconfig errors, then build dep tree collapses). Switching to authentik's FOD pattern instead: a single fixed-output derivation that pip-installs the adelaide-baby-shower-app wheel + every transitive dep from forge PyPI into a target dir. FODs get network access in exchange for a pinned output hash, so the closure stays reproducible. outputHash is set to fakeHash for the first build — the runner will print the real hash on failure; a follow-up commit will pin it. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-11 09:00:26 -07:00
# Going through pip-install-target rather than nixpkgs Python packages
# sidesteps two issues we hit going through `python.pkgs.buildPythonPackage`:
# 1. python314Packages.django still aliases to Django 4.2 LTS, which
# doesn't support Python 3.14 at all.
# 2. django-axes pulls selenium + browser fonts into its check phase
# and the nix sandbox can't provide those.
#
C1: bake shower wheel into image; wire borgmatic; refine NFS docs Three follow-ups on the shower deployment branch: 1. containers/shower/default.nix now uses buildPythonPackage to install the adelaide-baby-shower-app wheel + its deps at nix build time. The wheel comes from the forge PyPI index with a pinned SRI hash. The entrypoint no longer does pip-at-boot — it just runs migrations, collectstatic, and execs gunicorn. 2. ansible/roles/borgmatic/defaults/main.yml: - Adds shower to borgmatic_k8s_sqlite_dumps (context k3s-ringtail) so /app/data/db.sqlite3 is dumped via kubectl exec on every run. - Adds /Volumes/shower (sifaka SMB mount on indri) to borgmatic_source_directories so prize-photo media gets archived. 3. NFS share docs corrected to match the real on-sifaka pattern: exports allowlist 192.168.1.0/24 + 100.64.0.0/10 with all_squash to admin (matching frigate/paperless/etc.), not "Squash=No mapping". The pod's runAsUser doesn't need to match an on-disk uid because all_squash rewrites every write to admin:users. Also adds a missing service-versions entry for the tailscale container introduced in PR #347 — pre-existing gap surfaced by the container-version-check hook on this commit. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-11 08:37:12 -07:00
# To bump the version:
# 1. Update `version` below.
C1: switch shower container to pip-install FOD The buildPythonPackage approach with `propagatedBuildInputs = [ python.pkgs.django ... ]` doesn't work: 1. nixpkgs python314Packages.django still aliases to Django 4.2 LTS, which doesn't support Python 3.14. 2. django-axes from nixpkgs pulls selenium + browser fonts into its check phase, and the nix sandbox can't provide those (fontconfig errors, then build dep tree collapses). Switching to authentik's FOD pattern instead: a single fixed-output derivation that pip-installs the adelaide-baby-shower-app wheel + every transitive dep from forge PyPI into a target dir. FODs get network access in exchange for a pinned output hash, so the closure stays reproducible. outputHash is set to fakeHash for the first build — the runner will print the real hash on failure; a follow-up commit will pin it. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-11 09:00:26 -07:00
# 2. Set `outputHash` to `pkgs.lib.fakeHash`, run the build, copy the
# real hash out of the error, and commit it.
C1: deploy adelaide-baby-shower-app to ringtail k3s Adds the Adelaide / Heidi / Addie baby shower app — a Django guest splash, raffle picker, and prize-assignment console — on ringtail k3s. Public landing at shower.eblu.me (via fly proxy), tailnet admin at shower.ops.eblu.me. App source: forge.eblu.me/eblume/adelaide-baby-shower-app, wheel-published to the Forgejo Packages PyPI index. Manifests under argocd/manifests/shower/: NFS-backed PVC for /app/media, local-path PVC for SQLite, ExternalSecret pulling DJANGO_SECRET_KEY from 1Password (item "Shower (blumeops)"), Tailscale ProxyGroup ingress. Defense-in-depth for the public surface: - /admin/ blocked at the fly edge except /admin/login/ and /admin/logout/ - shower_auth rate limit on the login path - new fail2ban filter+jail with a per-service shower-deny.conf (nginx-deny action generalized to accept nginx_deny_file) - django-axes (5 / 1h) keyed on (username, ip_address) Plus: Caddy route on indri, Pulumi gandi CNAME, Grafana APM dashboard mirroring docs-apm.json, runbook at how-to/operations/shower-app.md, and a service-versions entry. X-Clacks-Overhead set on the new server block — GNU Terry Pratchett. Build: containers/shower/default.nix uses dockerTools to ship a nixpkgs Python plus a startup wrapper that installs the wheel into /app/data/.venv on first boot and execs gunicorn. Lets the wheel come from forge PyPI without pinning hashes for every transitive dep. Prerequisites tracked in the runbook (not yet executed): - NFS share sifaka:/volume1/shower (manual Synology step) - 1Password item "Shower (blumeops)" with secret-key field - container build via `mise run container-build-and-release shower` - Pulumi dns-up after merge - fly certs add shower.eblu.me Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-11 08:14:12 -07:00
{ pkgs ? import <nixpkgs> { } }:
let
C1: bump shower to v1.0.1; collapse WAN admin to tailnet-only PR review caught that we didn't need an admin login surface on WAN. App v1.0.1 adds DJANGO_PUBLIC_URL_BASE so QR codes generated from /host/ (now tailnet-only) still point at shower.eblu.me for guest phones — that closes the loop and lets us strip the WAN admin surface entirely. Container: - bump version to 1.0.1 - outputHash → fakeHash (build will print the real one) - entrypoint still does migrate + collectstatic before gunicorn — the app is small enough that auto-migration is fine Manifests: - configmap adds DJANGO_PUBLIC_URL_BASE=https://shower.eblu.me Fly nginx (shower.eblu.me): - drop the /admin/(login|logout) carveout - 403 anything under /admin/ AND /host/ with a "tailnet only" pointer - drop the shower_auth limit_req zone and \$shower_banned geo - drop the shower-admin-login fail2ban filter + jail - drop the shower-deny.conf touch from start.sh Docs: - rename how-to docs/how-to/operations/shower-app.md → shower-on-ringtail.md (mirrors cv-on-indri / docs-on-indri) - new reference card docs/reference/services/shower-app.md per PR review comment 2 (≈30s read; quick facts + cross-links) - rewrite Defense layers section: collapses to general rate limit + django-axes on the tailnet-side login (the only credential surface) - rewrite the .infra.md changelog fragment to match - add a 'Create the admin user' step (kubectl exec createsuperuser) so first-time deploys aren't locked out The nginx-deny action's per-jail \`nginx_deny_file\` generalization stays — harmless future-proofing for the next public service. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-11 10:23:40 -07:00
version = "1.0.1";
C1: deploy adelaide-baby-shower-app to ringtail k3s Adds the Adelaide / Heidi / Addie baby shower app — a Django guest splash, raffle picker, and prize-assignment console — on ringtail k3s. Public landing at shower.eblu.me (via fly proxy), tailnet admin at shower.ops.eblu.me. App source: forge.eblu.me/eblume/adelaide-baby-shower-app, wheel-published to the Forgejo Packages PyPI index. Manifests under argocd/manifests/shower/: NFS-backed PVC for /app/media, local-path PVC for SQLite, ExternalSecret pulling DJANGO_SECRET_KEY from 1Password (item "Shower (blumeops)"), Tailscale ProxyGroup ingress. Defense-in-depth for the public surface: - /admin/ blocked at the fly edge except /admin/login/ and /admin/logout/ - shower_auth rate limit on the login path - new fail2ban filter+jail with a per-service shower-deny.conf (nginx-deny action generalized to accept nginx_deny_file) - django-axes (5 / 1h) keyed on (username, ip_address) Plus: Caddy route on indri, Pulumi gandi CNAME, Grafana APM dashboard mirroring docs-apm.json, runbook at how-to/operations/shower-app.md, and a service-versions entry. X-Clacks-Overhead set on the new server block — GNU Terry Pratchett. Build: containers/shower/default.nix uses dockerTools to ship a nixpkgs Python plus a startup wrapper that installs the wheel into /app/data/.venv on first boot and execs gunicorn. Lets the wheel come from forge PyPI without pinning hashes for every transitive dep. Prerequisites tracked in the runbook (not yet executed): - NFS share sifaka:/volume1/shower (manual Synology step) - 1Password item "Shower (blumeops)" with secret-key field - container build via `mise run container-build-and-release shower` - Pulumi dns-up after merge - fly certs add shower.eblu.me Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-11 08:14:12 -07:00
python = pkgs.python314;
C1: switch shower container to pip-install FOD The buildPythonPackage approach with `propagatedBuildInputs = [ python.pkgs.django ... ]` doesn't work: 1. nixpkgs python314Packages.django still aliases to Django 4.2 LTS, which doesn't support Python 3.14. 2. django-axes from nixpkgs pulls selenium + browser fonts into its check phase, and the nix sandbox can't provide those (fontconfig errors, then build dep tree collapses). Switching to authentik's FOD pattern instead: a single fixed-output derivation that pip-installs the adelaide-baby-shower-app wheel + every transitive dep from forge PyPI into a target dir. FODs get network access in exchange for a pinned output hash, so the closure stays reproducible. outputHash is set to fakeHash for the first build — the runner will print the real hash on failure; a follow-up commit will pin it. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-11 09:00:26 -07:00
# Fixed-output derivation: pip-installs the app wheel + every transitive
# dep into a single target dir. FODs get network access in exchange for
# a pinned output hash, which means the whole dependency closure is
# immutable across rebuilds.
C1: strip store refs in shower FOD; autopatchelf wrapper Run 534 failed with 'fixed-output derivations must not reference store paths: ... gcc-14.3.0-lib' because pip-installed wheels pulled stdenv into the venv (Python's setup, gcc-lib runtime references). Adapts authentik's two-stage pattern: - pyDepsFOD: pip-installs into the venv, then strips every nix store ref it can find (find+remove-references-to). Output is fully self-contained — pinned by outputHash. - pyDeps (non-FOD wrapper): copies the FOD output and runs autoPatchelfHook against runtime buildInputs (libstdc++, zlib, image libs for pillow). This restores RPATHs on the .so files that pillow and scipy ship, against the real on-image library locations. outputHash still fakeHash — next build prints the real one. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-11 09:06:44 -07:00
pyDepsFOD = pkgs.stdenv.mkDerivation {
pname = "shower-python-deps-fod";
C1: bake shower wheel into image; wire borgmatic; refine NFS docs Three follow-ups on the shower deployment branch: 1. containers/shower/default.nix now uses buildPythonPackage to install the adelaide-baby-shower-app wheel + its deps at nix build time. The wheel comes from the forge PyPI index with a pinned SRI hash. The entrypoint no longer does pip-at-boot — it just runs migrations, collectstatic, and execs gunicorn. 2. ansible/roles/borgmatic/defaults/main.yml: - Adds shower to borgmatic_k8s_sqlite_dumps (context k3s-ringtail) so /app/data/db.sqlite3 is dumped via kubectl exec on every run. - Adds /Volumes/shower (sifaka SMB mount on indri) to borgmatic_source_directories so prize-photo media gets archived. 3. NFS share docs corrected to match the real on-sifaka pattern: exports allowlist 192.168.1.0/24 + 100.64.0.0/10 with all_squash to admin (matching frigate/paperless/etc.), not "Squash=No mapping". The pod's runAsUser doesn't need to match an on-disk uid because all_squash rewrites every write to admin:users. Also adds a missing service-versions entry for the tailscale container introduced in PR #347 — pre-existing gap surfaced by the container-version-check hook on this commit. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-11 08:37:12 -07:00
inherit version;
C1: switch shower container to pip-install FOD The buildPythonPackage approach with `propagatedBuildInputs = [ python.pkgs.django ... ]` doesn't work: 1. nixpkgs python314Packages.django still aliases to Django 4.2 LTS, which doesn't support Python 3.14. 2. django-axes from nixpkgs pulls selenium + browser fonts into its check phase, and the nix sandbox can't provide those (fontconfig errors, then build dep tree collapses). Switching to authentik's FOD pattern instead: a single fixed-output derivation that pip-installs the adelaide-baby-shower-app wheel + every transitive dep from forge PyPI into a target dir. FODs get network access in exchange for a pinned output hash, so the closure stays reproducible. outputHash is set to fakeHash for the first build — the runner will print the real hash on failure; a follow-up commit will pin it. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-11 09:00:26 -07:00
dontUnpack = true;
C1: strip store refs in shower FOD; autopatchelf wrapper Run 534 failed with 'fixed-output derivations must not reference store paths: ... gcc-14.3.0-lib' because pip-installed wheels pulled stdenv into the venv (Python's setup, gcc-lib runtime references). Adapts authentik's two-stage pattern: - pyDepsFOD: pip-installs into the venv, then strips every nix store ref it can find (find+remove-references-to). Output is fully self-contained — pinned by outputHash. - pyDeps (non-FOD wrapper): copies the FOD output and runs autoPatchelfHook against runtime buildInputs (libstdc++, zlib, image libs for pillow). This restores RPATHs on the .so files that pillow and scipy ship, against the real on-image library locations. outputHash still fakeHash — next build prints the real one. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-11 09:06:44 -07:00
nativeBuildInputs = [ python pkgs.cacert pkgs.removeReferencesTo ];
C1: switch shower container to pip-install FOD The buildPythonPackage approach with `propagatedBuildInputs = [ python.pkgs.django ... ]` doesn't work: 1. nixpkgs python314Packages.django still aliases to Django 4.2 LTS, which doesn't support Python 3.14. 2. django-axes from nixpkgs pulls selenium + browser fonts into its check phase, and the nix sandbox can't provide those (fontconfig errors, then build dep tree collapses). Switching to authentik's FOD pattern instead: a single fixed-output derivation that pip-installs the adelaide-baby-shower-app wheel + every transitive dep from forge PyPI into a target dir. FODs get network access in exchange for a pinned output hash, so the closure stays reproducible. outputHash is set to fakeHash for the first build — the runner will print the real hash on failure; a follow-up commit will pin it. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-11 09:00:26 -07:00
buildPhase = ''
runHook preBuild
export HOME=$TMPDIR
export SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt
export PIP_DISABLE_PIP_VERSION_CHECK=1
${python}/bin/python -m venv "$TMPDIR/venv"
"$TMPDIR/venv/bin/pip" install --upgrade pip
"$TMPDIR/venv/bin/pip" install \
--no-cache-dir \
--index-url=https://pypi.ops.eblu.me/root/pypi/+simple/ \
--extra-index-url=https://forge.eblu.me/api/packages/eblume/pypi/simple/ \
"adelaide-baby-shower-app==${version}" \
gunicorn
runHook postBuild
'';
installPhase = ''
runHook preInstall
mkdir -p $out/lib/python3.14 $out/bin
cp -r "$TMPDIR/venv/lib/python3.14/site-packages" $out/lib/python3.14/site-packages
for script in "$TMPDIR/venv/bin/"*; do
[ -f "$script" ] || continue
name=$(basename "$script")
case "$name" in
python*|pip*|activate*) continue ;;
esac
C1: strip store refs in shower FOD; autopatchelf wrapper Run 534 failed with 'fixed-output derivations must not reference store paths: ... gcc-14.3.0-lib' because pip-installed wheels pulled stdenv into the venv (Python's setup, gcc-lib runtime references). Adapts authentik's two-stage pattern: - pyDepsFOD: pip-installs into the venv, then strips every nix store ref it can find (find+remove-references-to). Output is fully self-contained — pinned by outputHash. - pyDeps (non-FOD wrapper): copies the FOD output and runs autoPatchelfHook against runtime buildInputs (libstdc++, zlib, image libs for pillow). This restores RPATHs on the .so files that pillow and scipy ship, against the real on-image library locations. outputHash still fakeHash — next build prints the real one. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-11 09:06:44 -07:00
cp "$script" "$out/bin/$name"
C1: switch shower container to pip-install FOD The buildPythonPackage approach with `propagatedBuildInputs = [ python.pkgs.django ... ]` doesn't work: 1. nixpkgs python314Packages.django still aliases to Django 4.2 LTS, which doesn't support Python 3.14. 2. django-axes from nixpkgs pulls selenium + browser fonts into its check phase, and the nix sandbox can't provide those (fontconfig errors, then build dep tree collapses). Switching to authentik's FOD pattern instead: a single fixed-output derivation that pip-installs the adelaide-baby-shower-app wheel + every transitive dep from forge PyPI into a target dir. FODs get network access in exchange for a pinned output hash, so the closure stays reproducible. outputHash is set to fakeHash for the first build — the runner will print the real hash on failure; a follow-up commit will pin it. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-11 09:00:26 -07:00
chmod +x "$out/bin/$name"
done
C1: strip store refs in shower FOD; autopatchelf wrapper Run 534 failed with 'fixed-output derivations must not reference store paths: ... gcc-14.3.0-lib' because pip-installed wheels pulled stdenv into the venv (Python's setup, gcc-lib runtime references). Adapts authentik's two-stage pattern: - pyDepsFOD: pip-installs into the venv, then strips every nix store ref it can find (find+remove-references-to). Output is fully self-contained — pinned by outputHash. - pyDeps (non-FOD wrapper): copies the FOD output and runs autoPatchelfHook against runtime buildInputs (libstdc++, zlib, image libs for pillow). This restores RPATHs on the .so files that pillow and scipy ship, against the real on-image library locations. outputHash still fakeHash — next build prints the real one. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-11 09:06:44 -07:00
# --- Strip Nix store references (FOD outputs must be self-contained) ---
# The wrapper derivation below restores them via autoPatchelfHook + a
# python wrapper that points pyc-less imports at the on-image python.
C1: switch shower container to pip-install FOD The buildPythonPackage approach with `propagatedBuildInputs = [ python.pkgs.django ... ]` doesn't work: 1. nixpkgs python314Packages.django still aliases to Django 4.2 LTS, which doesn't support Python 3.14. 2. django-axes from nixpkgs pulls selenium + browser fonts into its check phase, and the nix sandbox can't provide those (fontconfig errors, then build dep tree collapses). Switching to authentik's FOD pattern instead: a single fixed-output derivation that pip-installs the adelaide-baby-shower-app wheel + every transitive dep from forge PyPI into a target dir. FODs get network access in exchange for a pinned output hash, so the closure stays reproducible. outputHash is set to fakeHash for the first build — the runner will print the real hash on failure; a follow-up commit will pin it. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-11 09:00:26 -07:00
C1: strip store refs in shower FOD; autopatchelf wrapper Run 534 failed with 'fixed-output derivations must not reference store paths: ... gcc-14.3.0-lib' because pip-installed wheels pulled stdenv into the venv (Python's setup, gcc-lib runtime references). Adapts authentik's two-stage pattern: - pyDepsFOD: pip-installs into the venv, then strips every nix store ref it can find (find+remove-references-to). Output is fully self-contained — pinned by outputHash. - pyDeps (non-FOD wrapper): copies the FOD output and runs autoPatchelfHook against runtime buildInputs (libstdc++, zlib, image libs for pillow). This restores RPATHs on the .so files that pillow and scipy ship, against the real on-image library locations. outputHash still fakeHash — next build prints the real one. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-11 09:06:44 -07:00
# Strip bytecode entirely — pyc files embed compile-time paths.
C1: switch shower container to pip-install FOD The buildPythonPackage approach with `propagatedBuildInputs = [ python.pkgs.django ... ]` doesn't work: 1. nixpkgs python314Packages.django still aliases to Django 4.2 LTS, which doesn't support Python 3.14. 2. django-axes from nixpkgs pulls selenium + browser fonts into its check phase, and the nix sandbox can't provide those (fontconfig errors, then build dep tree collapses). Switching to authentik's FOD pattern instead: a single fixed-output derivation that pip-installs the adelaide-baby-shower-app wheel + every transitive dep from forge PyPI into a target dir. FODs get network access in exchange for a pinned output hash, so the closure stays reproducible. outputHash is set to fakeHash for the first build — the runner will print the real hash on failure; a follow-up commit will pin it. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-11 09:00:26 -07:00
find $out -type f -name '*.pyc' -delete
find $out -type d -name '__pycache__' -exec rm -rf {} + 2>/dev/null || true
C1: strip store refs in shower FOD; autopatchelf wrapper Run 534 failed with 'fixed-output derivations must not reference store paths: ... gcc-14.3.0-lib' because pip-installed wheels pulled stdenv into the venv (Python's setup, gcc-lib runtime references). Adapts authentik's two-stage pattern: - pyDepsFOD: pip-installs into the venv, then strips every nix store ref it can find (find+remove-references-to). Output is fully self-contained — pinned by outputHash. - pyDeps (non-FOD wrapper): copies the FOD output and runs autoPatchelfHook against runtime buildInputs (libstdc++, zlib, image libs for pillow). This restores RPATHs on the .so files that pillow and scipy ship, against the real on-image library locations. outputHash still fakeHash — next build prints the real one. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-11 09:06:44 -07:00
# Dynamically discover all nix store references and strip them. We
# don't have a static list because pip pulls in stdenv via Python's
# build env (gcc-lib, libstdc++, etc.) and the closure is opaque.
{ find $out -type f -print0 \
| xargs -0 grep -aohE '/nix/store/[a-z0-9]{32}-[^/"[:space:]]+' 2>/dev/null \
|| true; } | sort -u > $TMPDIR/store-refs.txt
echo "Found $(wc -l < $TMPDIR/store-refs.txt) unique store path references to strip"
refs_args=""
while IFS= read -r ref; do
refs_args="$refs_args -t $ref"
done < $TMPDIR/store-refs.txt
if [ -n "$refs_args" ]; then
find $out -type f -exec remove-references-to $refs_args {} + 2>/dev/null || true
fi
remaining=$({ find $out -type f -print0 | xargs -0 grep -cl '/nix/store/' 2>/dev/null || true; } | wc -l)
echo "Files with remaining store references: $remaining"
runHook postInstall
C1: switch shower container to pip-install FOD The buildPythonPackage approach with `propagatedBuildInputs = [ python.pkgs.django ... ]` doesn't work: 1. nixpkgs python314Packages.django still aliases to Django 4.2 LTS, which doesn't support Python 3.14. 2. django-axes from nixpkgs pulls selenium + browser fonts into its check phase, and the nix sandbox can't provide those (fontconfig errors, then build dep tree collapses). Switching to authentik's FOD pattern instead: a single fixed-output derivation that pip-installs the adelaide-baby-shower-app wheel + every transitive dep from forge PyPI into a target dir. FODs get network access in exchange for a pinned output hash, so the closure stays reproducible. outputHash is set to fakeHash for the first build — the runner will print the real hash on failure; a follow-up commit will pin it. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-11 09:00:26 -07:00
'';
outputHashMode = "recursive";
outputHashAlgo = "sha256";
C1: pin shower FOD outputHash from run 535
2026-05-11 09:13:53 -07:00
# Pinned dep closure — reproducible until version bumps. To recompute,
# set to pkgs.lib.fakeHash and read the failure.
C1: bump shower to v1.0.1; collapse WAN admin to tailnet-only PR review caught that we didn't need an admin login surface on WAN. App v1.0.1 adds DJANGO_PUBLIC_URL_BASE so QR codes generated from /host/ (now tailnet-only) still point at shower.eblu.me for guest phones — that closes the loop and lets us strip the WAN admin surface entirely. Container: - bump version to 1.0.1 - outputHash → fakeHash (build will print the real one) - entrypoint still does migrate + collectstatic before gunicorn — the app is small enough that auto-migration is fine Manifests: - configmap adds DJANGO_PUBLIC_URL_BASE=https://shower.eblu.me Fly nginx (shower.eblu.me): - drop the /admin/(login|logout) carveout - 403 anything under /admin/ AND /host/ with a "tailnet only" pointer - drop the shower_auth limit_req zone and \$shower_banned geo - drop the shower-admin-login fail2ban filter + jail - drop the shower-deny.conf touch from start.sh Docs: - rename how-to docs/how-to/operations/shower-app.md → shower-on-ringtail.md (mirrors cv-on-indri / docs-on-indri) - new reference card docs/reference/services/shower-app.md per PR review comment 2 (≈30s read; quick facts + cross-links) - rewrite Defense layers section: collapses to general rate limit + django-axes on the tailnet-side login (the only credential surface) - rewrite the .infra.md changelog fragment to match - add a 'Create the admin user' step (kubectl exec createsuperuser) so first-time deploys aren't locked out The nginx-deny action's per-jail \`nginx_deny_file\` generalization stays — harmless future-proofing for the next public service. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-11 10:23:40 -07:00
outputHash = pkgs.lib.fakeHash;
C1: switch shower container to pip-install FOD The buildPythonPackage approach with `propagatedBuildInputs = [ python.pkgs.django ... ]` doesn't work: 1. nixpkgs python314Packages.django still aliases to Django 4.2 LTS, which doesn't support Python 3.14. 2. django-axes from nixpkgs pulls selenium + browser fonts into its check phase, and the nix sandbox can't provide those (fontconfig errors, then build dep tree collapses). Switching to authentik's FOD pattern instead: a single fixed-output derivation that pip-installs the adelaide-baby-shower-app wheel + every transitive dep from forge PyPI into a target dir. FODs get network access in exchange for a pinned output hash, so the closure stays reproducible. outputHash is set to fakeHash for the first build — the runner will print the real hash on failure; a follow-up commit will pin it. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-11 09:00:26 -07:00
dontFixup = true;
C1: bake shower wheel into image; wire borgmatic; refine NFS docs Three follow-ups on the shower deployment branch: 1. containers/shower/default.nix now uses buildPythonPackage to install the adelaide-baby-shower-app wheel + its deps at nix build time. The wheel comes from the forge PyPI index with a pinned SRI hash. The entrypoint no longer does pip-at-boot — it just runs migrations, collectstatic, and execs gunicorn. 2. ansible/roles/borgmatic/defaults/main.yml: - Adds shower to borgmatic_k8s_sqlite_dumps (context k3s-ringtail) so /app/data/db.sqlite3 is dumped via kubectl exec on every run. - Adds /Volumes/shower (sifaka SMB mount on indri) to borgmatic_source_directories so prize-photo media gets archived. 3. NFS share docs corrected to match the real on-sifaka pattern: exports allowlist 192.168.1.0/24 + 100.64.0.0/10 with all_squash to admin (matching frigate/paperless/etc.), not "Squash=No mapping". The pod's runAsUser doesn't need to match an on-disk uid because all_squash rewrites every write to admin:users. Also adds a missing service-versions entry for the tailscale container introduced in PR #347 — pre-existing gap surfaced by the container-version-check hook on this commit. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-11 08:37:12 -07:00
};
C1: deploy adelaide-baby-shower-app to ringtail k3s Adds the Adelaide / Heidi / Addie baby shower app — a Django guest splash, raffle picker, and prize-assignment console — on ringtail k3s. Public landing at shower.eblu.me (via fly proxy), tailnet admin at shower.ops.eblu.me. App source: forge.eblu.me/eblume/adelaide-baby-shower-app, wheel-published to the Forgejo Packages PyPI index. Manifests under argocd/manifests/shower/: NFS-backed PVC for /app/media, local-path PVC for SQLite, ExternalSecret pulling DJANGO_SECRET_KEY from 1Password (item "Shower (blumeops)"), Tailscale ProxyGroup ingress. Defense-in-depth for the public surface: - /admin/ blocked at the fly edge except /admin/login/ and /admin/logout/ - shower_auth rate limit on the login path - new fail2ban filter+jail with a per-service shower-deny.conf (nginx-deny action generalized to accept nginx_deny_file) - django-axes (5 / 1h) keyed on (username, ip_address) Plus: Caddy route on indri, Pulumi gandi CNAME, Grafana APM dashboard mirroring docs-apm.json, runbook at how-to/operations/shower-app.md, and a service-versions entry. X-Clacks-Overhead set on the new server block — GNU Terry Pratchett. Build: containers/shower/default.nix uses dockerTools to ship a nixpkgs Python plus a startup wrapper that installs the wheel into /app/data/.venv on first boot and execs gunicorn. Lets the wheel come from forge PyPI without pinning hashes for every transitive dep. Prerequisites tracked in the runbook (not yet executed): - NFS share sifaka:/volume1/shower (manual Synology step) - 1Password item "Shower (blumeops)" with secret-key field - container build via `mise run container-build-and-release shower` - Pulumi dns-up after merge - fly certs add shower.eblu.me Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-11 08:14:12 -07:00
C1: strip store refs in shower FOD; autopatchelf wrapper Run 534 failed with 'fixed-output derivations must not reference store paths: ... gcc-14.3.0-lib' because pip-installed wheels pulled stdenv into the venv (Python's setup, gcc-lib runtime references). Adapts authentik's two-stage pattern: - pyDepsFOD: pip-installs into the venv, then strips every nix store ref it can find (find+remove-references-to). Output is fully self-contained — pinned by outputHash. - pyDeps (non-FOD wrapper): copies the FOD output and runs autoPatchelfHook against runtime buildInputs (libstdc++, zlib, image libs for pillow). This restores RPATHs on the .so files that pillow and scipy ship, against the real on-image library locations. outputHash still fakeHash — next build prints the real one. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-11 09:06:44 -07:00
# Non-FOD wrapper: re-applies RPATHs to pre-built .so files (pillow,
# scipy) so they find libstdc++ / libz / etc. at runtime. autoPatchelfHook
# discovers needed libraries from buildInputs.
pyDeps = pkgs.stdenv.mkDerivation {
pname = "shower-python-deps";
inherit version;
dontUnpack = true;
nativeBuildInputs = [ pkgs.autoPatchelfHook ];
buildInputs = with pkgs; [
python
stdenv.cc.cc.lib # libstdc++, libgcc_s
zlib
libjpeg
libwebp
libtiff
openjpeg
lcms2
freetype
];
installPhase = ''
cp -r ${pyDepsFOD} $out
chmod -R u+w $out
'';
};
C1: switch shower container to pip-install FOD The buildPythonPackage approach with `propagatedBuildInputs = [ python.pkgs.django ... ]` doesn't work: 1. nixpkgs python314Packages.django still aliases to Django 4.2 LTS, which doesn't support Python 3.14. 2. django-axes from nixpkgs pulls selenium + browser fonts into its check phase, and the nix sandbox can't provide those (fontconfig errors, then build dep tree collapses). Switching to authentik's FOD pattern instead: a single fixed-output derivation that pip-installs the adelaide-baby-shower-app wheel + every transitive dep from forge PyPI into a target dir. FODs get network access in exchange for a pinned output hash, so the closure stays reproducible. outputHash is set to fakeHash for the first build — the runner will print the real hash on failure; a follow-up commit will pin it. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-11 09:00:26 -07:00
sitePackages = "${pyDeps}/lib/python3.14/site-packages";
C1: bake shower wheel into image; wire borgmatic; refine NFS docs Three follow-ups on the shower deployment branch: 1. containers/shower/default.nix now uses buildPythonPackage to install the adelaide-baby-shower-app wheel + its deps at nix build time. The wheel comes from the forge PyPI index with a pinned SRI hash. The entrypoint no longer does pip-at-boot — it just runs migrations, collectstatic, and execs gunicorn. 2. ansible/roles/borgmatic/defaults/main.yml: - Adds shower to borgmatic_k8s_sqlite_dumps (context k3s-ringtail) so /app/data/db.sqlite3 is dumped via kubectl exec on every run. - Adds /Volumes/shower (sifaka SMB mount on indri) to borgmatic_source_directories so prize-photo media gets archived. 3. NFS share docs corrected to match the real on-sifaka pattern: exports allowlist 192.168.1.0/24 + 100.64.0.0/10 with all_squash to admin (matching frigate/paperless/etc.), not "Squash=No mapping". The pod's runAsUser doesn't need to match an on-disk uid because all_squash rewrites every write to admin:users. Also adds a missing service-versions entry for the tailscale container introduced in PR #347 — pre-existing gap surfaced by the container-version-check hook on this commit. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-11 08:37:12 -07:00
# Settings shim — config/settings.py's `BASE_DIR = parent.parent` would
# otherwise resolve to site-packages, scattering db.sqlite3 / media /
C1: switch shower container to pip-install FOD The buildPythonPackage approach with `propagatedBuildInputs = [ python.pkgs.django ... ]` doesn't work: 1. nixpkgs python314Packages.django still aliases to Django 4.2 LTS, which doesn't support Python 3.14. 2. django-axes from nixpkgs pulls selenium + browser fonts into its check phase, and the nix sandbox can't provide those (fontconfig errors, then build dep tree collapses). Switching to authentik's FOD pattern instead: a single fixed-output derivation that pip-installs the adelaide-baby-shower-app wheel + every transitive dep from forge PyPI into a target dir. FODs get network access in exchange for a pinned output hash, so the closure stays reproducible. outputHash is set to fakeHash for the first build — the runner will print the real hash on failure; a follow-up commit will pin it. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-11 09:00:26 -07:00
# staticfiles into the venv. Pin them to /app/{data,media,data/staticfiles}.
C1: bake shower wheel into image; wire borgmatic; refine NFS docs Three follow-ups on the shower deployment branch: 1. containers/shower/default.nix now uses buildPythonPackage to install the adelaide-baby-shower-app wheel + its deps at nix build time. The wheel comes from the forge PyPI index with a pinned SRI hash. The entrypoint no longer does pip-at-boot — it just runs migrations, collectstatic, and execs gunicorn. 2. ansible/roles/borgmatic/defaults/main.yml: - Adds shower to borgmatic_k8s_sqlite_dumps (context k3s-ringtail) so /app/data/db.sqlite3 is dumped via kubectl exec on every run. - Adds /Volumes/shower (sifaka SMB mount on indri) to borgmatic_source_directories so prize-photo media gets archived. 3. NFS share docs corrected to match the real on-sifaka pattern: exports allowlist 192.168.1.0/24 + 100.64.0.0/10 with all_squash to admin (matching frigate/paperless/etc.), not "Squash=No mapping". The pod's runAsUser doesn't need to match an on-disk uid because all_squash rewrites every write to admin:users. Also adds a missing service-versions entry for the tailscale container introduced in PR #347 — pre-existing gap surfaced by the container-version-check hook on this commit. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-11 08:37:12 -07:00
localSettings = pkgs.writeText "local_settings.py" ''
C1: deploy adelaide-baby-shower-app to ringtail k3s Adds the Adelaide / Heidi / Addie baby shower app — a Django guest splash, raffle picker, and prize-assignment console — on ringtail k3s. Public landing at shower.eblu.me (via fly proxy), tailnet admin at shower.ops.eblu.me. App source: forge.eblu.me/eblume/adelaide-baby-shower-app, wheel-published to the Forgejo Packages PyPI index. Manifests under argocd/manifests/shower/: NFS-backed PVC for /app/media, local-path PVC for SQLite, ExternalSecret pulling DJANGO_SECRET_KEY from 1Password (item "Shower (blumeops)"), Tailscale ProxyGroup ingress. Defense-in-depth for the public surface: - /admin/ blocked at the fly edge except /admin/login/ and /admin/logout/ - shower_auth rate limit on the login path - new fail2ban filter+jail with a per-service shower-deny.conf (nginx-deny action generalized to accept nginx_deny_file) - django-axes (5 / 1h) keyed on (username, ip_address) Plus: Caddy route on indri, Pulumi gandi CNAME, Grafana APM dashboard mirroring docs-apm.json, runbook at how-to/operations/shower-app.md, and a service-versions entry. X-Clacks-Overhead set on the new server block — GNU Terry Pratchett. Build: containers/shower/default.nix uses dockerTools to ship a nixpkgs Python plus a startup wrapper that installs the wheel into /app/data/.venv on first boot and execs gunicorn. Lets the wheel come from forge PyPI without pinning hashes for every transitive dep. Prerequisites tracked in the runbook (not yet executed): - NFS share sifaka:/volume1/shower (manual Synology step) - 1Password item "Shower (blumeops)" with secret-key field - container build via `mise run container-build-and-release shower` - Pulumi dns-up after merge - fly certs add shower.eblu.me Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-11 08:14:12 -07:00
from config.settings import * # noqa: F401,F403
DATABASES["default"]["NAME"] = "/app/data/db.sqlite3"
MEDIA_ROOT = "/app/media"
STATIC_ROOT = "/app/data/staticfiles"
C1: bake shower wheel into image; wire borgmatic; refine NFS docs Three follow-ups on the shower deployment branch: 1. containers/shower/default.nix now uses buildPythonPackage to install the adelaide-baby-shower-app wheel + its deps at nix build time. The wheel comes from the forge PyPI index with a pinned SRI hash. The entrypoint no longer does pip-at-boot — it just runs migrations, collectstatic, and execs gunicorn. 2. ansible/roles/borgmatic/defaults/main.yml: - Adds shower to borgmatic_k8s_sqlite_dumps (context k3s-ringtail) so /app/data/db.sqlite3 is dumped via kubectl exec on every run. - Adds /Volumes/shower (sifaka SMB mount on indri) to borgmatic_source_directories so prize-photo media gets archived. 3. NFS share docs corrected to match the real on-sifaka pattern: exports allowlist 192.168.1.0/24 + 100.64.0.0/10 with all_squash to admin (matching frigate/paperless/etc.), not "Squash=No mapping". The pod's runAsUser doesn't need to match an on-disk uid because all_squash rewrites every write to admin:users. Also adds a missing service-versions entry for the tailscale container introduced in PR #347 — pre-existing gap surfaced by the container-version-check hook on this commit. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-11 08:37:12 -07:00
'';
C1: deploy adelaide-baby-shower-app to ringtail k3s Adds the Adelaide / Heidi / Addie baby shower app — a Django guest splash, raffle picker, and prize-assignment console — on ringtail k3s. Public landing at shower.eblu.me (via fly proxy), tailnet admin at shower.ops.eblu.me. App source: forge.eblu.me/eblume/adelaide-baby-shower-app, wheel-published to the Forgejo Packages PyPI index. Manifests under argocd/manifests/shower/: NFS-backed PVC for /app/media, local-path PVC for SQLite, ExternalSecret pulling DJANGO_SECRET_KEY from 1Password (item "Shower (blumeops)"), Tailscale ProxyGroup ingress. Defense-in-depth for the public surface: - /admin/ blocked at the fly edge except /admin/login/ and /admin/logout/ - shower_auth rate limit on the login path - new fail2ban filter+jail with a per-service shower-deny.conf (nginx-deny action generalized to accept nginx_deny_file) - django-axes (5 / 1h) keyed on (username, ip_address) Plus: Caddy route on indri, Pulumi gandi CNAME, Grafana APM dashboard mirroring docs-apm.json, runbook at how-to/operations/shower-app.md, and a service-versions entry. X-Clacks-Overhead set on the new server block — GNU Terry Pratchett. Build: containers/shower/default.nix uses dockerTools to ship a nixpkgs Python plus a startup wrapper that installs the wheel into /app/data/.venv on first boot and execs gunicorn. Lets the wheel come from forge PyPI without pinning hashes for every transitive dep. Prerequisites tracked in the runbook (not yet executed): - NFS share sifaka:/volume1/shower (manual Synology step) - 1Password item "Shower (blumeops)" with secret-key field - container build via `mise run container-build-and-release shower` - Pulumi dns-up after merge - fly certs add shower.eblu.me Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-11 08:14:12 -07:00
C1: bake shower wheel into image; wire borgmatic; refine NFS docs Three follow-ups on the shower deployment branch: 1. containers/shower/default.nix now uses buildPythonPackage to install the adelaide-baby-shower-app wheel + its deps at nix build time. The wheel comes from the forge PyPI index with a pinned SRI hash. The entrypoint no longer does pip-at-boot — it just runs migrations, collectstatic, and execs gunicorn. 2. ansible/roles/borgmatic/defaults/main.yml: - Adds shower to borgmatic_k8s_sqlite_dumps (context k3s-ringtail) so /app/data/db.sqlite3 is dumped via kubectl exec on every run. - Adds /Volumes/shower (sifaka SMB mount on indri) to borgmatic_source_directories so prize-photo media gets archived. 3. NFS share docs corrected to match the real on-sifaka pattern: exports allowlist 192.168.1.0/24 + 100.64.0.0/10 with all_squash to admin (matching frigate/paperless/etc.), not "Squash=No mapping". The pod's runAsUser doesn't need to match an on-disk uid because all_squash rewrites every write to admin:users. Also adds a missing service-versions entry for the tailscale container introduced in PR #347 — pre-existing gap surfaced by the container-version-check hook on this commit. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-11 08:37:12 -07:00
entrypoint = pkgs.writeShellScript "shower-entrypoint" ''
set -eu
export HOME=/app/data
C1: switch shower container to pip-install FOD The buildPythonPackage approach with `propagatedBuildInputs = [ python.pkgs.django ... ]` doesn't work: 1. nixpkgs python314Packages.django still aliases to Django 4.2 LTS, which doesn't support Python 3.14. 2. django-axes from nixpkgs pulls selenium + browser fonts into its check phase, and the nix sandbox can't provide those (fontconfig errors, then build dep tree collapses). Switching to authentik's FOD pattern instead: a single fixed-output derivation that pip-installs the adelaide-baby-shower-app wheel + every transitive dep from forge PyPI into a target dir. FODs get network access in exchange for a pinned output hash, so the closure stays reproducible. outputHash is set to fakeHash for the first build — the runner will print the real hash on failure; a follow-up commit will pin it. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-11 09:00:26 -07:00
export PATH=${pyDeps}/bin:${python}/bin:/bin
export PYTHONPATH=/app:${sitePackages}
C1: deploy adelaide-baby-shower-app to ringtail k3s Adds the Adelaide / Heidi / Addie baby shower app — a Django guest splash, raffle picker, and prize-assignment console — on ringtail k3s. Public landing at shower.eblu.me (via fly proxy), tailnet admin at shower.ops.eblu.me. App source: forge.eblu.me/eblume/adelaide-baby-shower-app, wheel-published to the Forgejo Packages PyPI index. Manifests under argocd/manifests/shower/: NFS-backed PVC for /app/media, local-path PVC for SQLite, ExternalSecret pulling DJANGO_SECRET_KEY from 1Password (item "Shower (blumeops)"), Tailscale ProxyGroup ingress. Defense-in-depth for the public surface: - /admin/ blocked at the fly edge except /admin/login/ and /admin/logout/ - shower_auth rate limit on the login path - new fail2ban filter+jail with a per-service shower-deny.conf (nginx-deny action generalized to accept nginx_deny_file) - django-axes (5 / 1h) keyed on (username, ip_address) Plus: Caddy route on indri, Pulumi gandi CNAME, Grafana APM dashboard mirroring docs-apm.json, runbook at how-to/operations/shower-app.md, and a service-versions entry. X-Clacks-Overhead set on the new server block — GNU Terry Pratchett. Build: containers/shower/default.nix uses dockerTools to ship a nixpkgs Python plus a startup wrapper that installs the wheel into /app/data/.venv on first boot and execs gunicorn. Lets the wheel come from forge PyPI without pinning hashes for every transitive dep. Prerequisites tracked in the runbook (not yet executed): - NFS share sifaka:/volume1/shower (manual Synology step) - 1Password item "Shower (blumeops)" with secret-key field - container build via `mise run container-build-and-release shower` - Pulumi dns-up after merge - fly certs add shower.eblu.me Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-11 08:14:12 -07:00
export DJANGO_SETTINGS_MODULE=local_settings
C1: bake shower wheel into image; wire borgmatic; refine NFS docs Three follow-ups on the shower deployment branch: 1. containers/shower/default.nix now uses buildPythonPackage to install the adelaide-baby-shower-app wheel + its deps at nix build time. The wheel comes from the forge PyPI index with a pinned SRI hash. The entrypoint no longer does pip-at-boot — it just runs migrations, collectstatic, and execs gunicorn. 2. ansible/roles/borgmatic/defaults/main.yml: - Adds shower to borgmatic_k8s_sqlite_dumps (context k3s-ringtail) so /app/data/db.sqlite3 is dumped via kubectl exec on every run. - Adds /Volumes/shower (sifaka SMB mount on indri) to borgmatic_source_directories so prize-photo media gets archived. 3. NFS share docs corrected to match the real on-sifaka pattern: exports allowlist 192.168.1.0/24 + 100.64.0.0/10 with all_squash to admin (matching frigate/paperless/etc.), not "Squash=No mapping". The pod's runAsUser doesn't need to match an on-disk uid because all_squash rewrites every write to admin:users. Also adds a missing service-versions entry for the tailscale container introduced in PR #347 — pre-existing gap surfaced by the container-version-check hook on this commit. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-11 08:37:12 -07:00
cd /app
mkdir -p /app/data /app/media
C1: deploy adelaide-baby-shower-app to ringtail k3s Adds the Adelaide / Heidi / Addie baby shower app — a Django guest splash, raffle picker, and prize-assignment console — on ringtail k3s. Public landing at shower.eblu.me (via fly proxy), tailnet admin at shower.ops.eblu.me. App source: forge.eblu.me/eblume/adelaide-baby-shower-app, wheel-published to the Forgejo Packages PyPI index. Manifests under argocd/manifests/shower/: NFS-backed PVC for /app/media, local-path PVC for SQLite, ExternalSecret pulling DJANGO_SECRET_KEY from 1Password (item "Shower (blumeops)"), Tailscale ProxyGroup ingress. Defense-in-depth for the public surface: - /admin/ blocked at the fly edge except /admin/login/ and /admin/logout/ - shower_auth rate limit on the login path - new fail2ban filter+jail with a per-service shower-deny.conf (nginx-deny action generalized to accept nginx_deny_file) - django-axes (5 / 1h) keyed on (username, ip_address) Plus: Caddy route on indri, Pulumi gandi CNAME, Grafana APM dashboard mirroring docs-apm.json, runbook at how-to/operations/shower-app.md, and a service-versions entry. X-Clacks-Overhead set on the new server block — GNU Terry Pratchett. Build: containers/shower/default.nix uses dockerTools to ship a nixpkgs Python plus a startup wrapper that installs the wheel into /app/data/.venv on first boot and execs gunicorn. Lets the wheel come from forge PyPI without pinning hashes for every transitive dep. Prerequisites tracked in the runbook (not yet executed): - NFS share sifaka:/volume1/shower (manual Synology step) - 1Password item "Shower (blumeops)" with secret-key field - container build via `mise run container-build-and-release shower` - Pulumi dns-up after merge - fly certs add shower.eblu.me Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-11 08:14:12 -07:00
echo "shower: running migrations"
C1: switch shower container to pip-install FOD The buildPythonPackage approach with `propagatedBuildInputs = [ python.pkgs.django ... ]` doesn't work: 1. nixpkgs python314Packages.django still aliases to Django 4.2 LTS, which doesn't support Python 3.14. 2. django-axes from nixpkgs pulls selenium + browser fonts into its check phase, and the nix sandbox can't provide those (fontconfig errors, then build dep tree collapses). Switching to authentik's FOD pattern instead: a single fixed-output derivation that pip-installs the adelaide-baby-shower-app wheel + every transitive dep from forge PyPI into a target dir. FODs get network access in exchange for a pinned output hash, so the closure stays reproducible. outputHash is set to fakeHash for the first build — the runner will print the real hash on failure; a follow-up commit will pin it. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-11 09:00:26 -07:00
${python}/bin/python -m django migrate --noinput
C1: deploy adelaide-baby-shower-app to ringtail k3s Adds the Adelaide / Heidi / Addie baby shower app — a Django guest splash, raffle picker, and prize-assignment console — on ringtail k3s. Public landing at shower.eblu.me (via fly proxy), tailnet admin at shower.ops.eblu.me. App source: forge.eblu.me/eblume/adelaide-baby-shower-app, wheel-published to the Forgejo Packages PyPI index. Manifests under argocd/manifests/shower/: NFS-backed PVC for /app/media, local-path PVC for SQLite, ExternalSecret pulling DJANGO_SECRET_KEY from 1Password (item "Shower (blumeops)"), Tailscale ProxyGroup ingress. Defense-in-depth for the public surface: - /admin/ blocked at the fly edge except /admin/login/ and /admin/logout/ - shower_auth rate limit on the login path - new fail2ban filter+jail with a per-service shower-deny.conf (nginx-deny action generalized to accept nginx_deny_file) - django-axes (5 / 1h) keyed on (username, ip_address) Plus: Caddy route on indri, Pulumi gandi CNAME, Grafana APM dashboard mirroring docs-apm.json, runbook at how-to/operations/shower-app.md, and a service-versions entry. X-Clacks-Overhead set on the new server block — GNU Terry Pratchett. Build: containers/shower/default.nix uses dockerTools to ship a nixpkgs Python plus a startup wrapper that installs the wheel into /app/data/.venv on first boot and execs gunicorn. Lets the wheel come from forge PyPI without pinning hashes for every transitive dep. Prerequisites tracked in the runbook (not yet executed): - NFS share sifaka:/volume1/shower (manual Synology step) - 1Password item "Shower (blumeops)" with secret-key field - container build via `mise run container-build-and-release shower` - Pulumi dns-up after merge - fly certs add shower.eblu.me Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-11 08:14:12 -07:00
echo "shower: collecting static files"
C1: switch shower container to pip-install FOD The buildPythonPackage approach with `propagatedBuildInputs = [ python.pkgs.django ... ]` doesn't work: 1. nixpkgs python314Packages.django still aliases to Django 4.2 LTS, which doesn't support Python 3.14. 2. django-axes from nixpkgs pulls selenium + browser fonts into its check phase, and the nix sandbox can't provide those (fontconfig errors, then build dep tree collapses). Switching to authentik's FOD pattern instead: a single fixed-output derivation that pip-installs the adelaide-baby-shower-app wheel + every transitive dep from forge PyPI into a target dir. FODs get network access in exchange for a pinned output hash, so the closure stays reproducible. outputHash is set to fakeHash for the first build — the runner will print the real hash on failure; a follow-up commit will pin it. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-11 09:00:26 -07:00
${python}/bin/python -m django collectstatic --noinput --clear
C1: deploy adelaide-baby-shower-app to ringtail k3s Adds the Adelaide / Heidi / Addie baby shower app — a Django guest splash, raffle picker, and prize-assignment console — on ringtail k3s. Public landing at shower.eblu.me (via fly proxy), tailnet admin at shower.ops.eblu.me. App source: forge.eblu.me/eblume/adelaide-baby-shower-app, wheel-published to the Forgejo Packages PyPI index. Manifests under argocd/manifests/shower/: NFS-backed PVC for /app/media, local-path PVC for SQLite, ExternalSecret pulling DJANGO_SECRET_KEY from 1Password (item "Shower (blumeops)"), Tailscale ProxyGroup ingress. Defense-in-depth for the public surface: - /admin/ blocked at the fly edge except /admin/login/ and /admin/logout/ - shower_auth rate limit on the login path - new fail2ban filter+jail with a per-service shower-deny.conf (nginx-deny action generalized to accept nginx_deny_file) - django-axes (5 / 1h) keyed on (username, ip_address) Plus: Caddy route on indri, Pulumi gandi CNAME, Grafana APM dashboard mirroring docs-apm.json, runbook at how-to/operations/shower-app.md, and a service-versions entry. X-Clacks-Overhead set on the new server block — GNU Terry Pratchett. Build: containers/shower/default.nix uses dockerTools to ship a nixpkgs Python plus a startup wrapper that installs the wheel into /app/data/.venv on first boot and execs gunicorn. Lets the wheel come from forge PyPI without pinning hashes for every transitive dep. Prerequisites tracked in the runbook (not yet executed): - NFS share sifaka:/volume1/shower (manual Synology step) - 1Password item "Shower (blumeops)" with secret-key field - container build via `mise run container-build-and-release shower` - Pulumi dns-up after merge - fly certs add shower.eblu.me Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-11 08:14:12 -07:00
echo "shower: starting gunicorn"
C1: switch shower container to pip-install FOD The buildPythonPackage approach with `propagatedBuildInputs = [ python.pkgs.django ... ]` doesn't work: 1. nixpkgs python314Packages.django still aliases to Django 4.2 LTS, which doesn't support Python 3.14. 2. django-axes from nixpkgs pulls selenium + browser fonts into its check phase, and the nix sandbox can't provide those (fontconfig errors, then build dep tree collapses). Switching to authentik's FOD pattern instead: a single fixed-output derivation that pip-installs the adelaide-baby-shower-app wheel + every transitive dep from forge PyPI into a target dir. FODs get network access in exchange for a pinned output hash, so the closure stays reproducible. outputHash is set to fakeHash for the first build — the runner will print the real hash on failure; a follow-up commit will pin it. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-11 09:00:26 -07:00
exec ${pyDeps}/bin/gunicorn \
C1: deploy adelaide-baby-shower-app to ringtail k3s Adds the Adelaide / Heidi / Addie baby shower app — a Django guest splash, raffle picker, and prize-assignment console — on ringtail k3s. Public landing at shower.eblu.me (via fly proxy), tailnet admin at shower.ops.eblu.me. App source: forge.eblu.me/eblume/adelaide-baby-shower-app, wheel-published to the Forgejo Packages PyPI index. Manifests under argocd/manifests/shower/: NFS-backed PVC for /app/media, local-path PVC for SQLite, ExternalSecret pulling DJANGO_SECRET_KEY from 1Password (item "Shower (blumeops)"), Tailscale ProxyGroup ingress. Defense-in-depth for the public surface: - /admin/ blocked at the fly edge except /admin/login/ and /admin/logout/ - shower_auth rate limit on the login path - new fail2ban filter+jail with a per-service shower-deny.conf (nginx-deny action generalized to accept nginx_deny_file) - django-axes (5 / 1h) keyed on (username, ip_address) Plus: Caddy route on indri, Pulumi gandi CNAME, Grafana APM dashboard mirroring docs-apm.json, runbook at how-to/operations/shower-app.md, and a service-versions entry. X-Clacks-Overhead set on the new server block — GNU Terry Pratchett. Build: containers/shower/default.nix uses dockerTools to ship a nixpkgs Python plus a startup wrapper that installs the wheel into /app/data/.venv on first boot and execs gunicorn. Lets the wheel come from forge PyPI without pinning hashes for every transitive dep. Prerequisites tracked in the runbook (not yet executed): - NFS share sifaka:/volume1/shower (manual Synology step) - 1Password item "Shower (blumeops)" with secret-key field - container build via `mise run container-build-and-release shower` - Pulumi dns-up after merge - fly certs add shower.eblu.me Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-11 08:14:12 -07:00
--bind 0.0.0.0:8000 \
--workers 2 \
--forwarded-allow-ips='*' \
config.wsgi:application
'';
in
pkgs.dockerTools.buildLayeredImage {
name = "blumeops/shower";
contents = [
C1: switch shower container to pip-install FOD The buildPythonPackage approach with `propagatedBuildInputs = [ python.pkgs.django ... ]` doesn't work: 1. nixpkgs python314Packages.django still aliases to Django 4.2 LTS, which doesn't support Python 3.14. 2. django-axes from nixpkgs pulls selenium + browser fonts into its check phase, and the nix sandbox can't provide those (fontconfig errors, then build dep tree collapses). Switching to authentik's FOD pattern instead: a single fixed-output derivation that pip-installs the adelaide-baby-shower-app wheel + every transitive dep from forge PyPI into a target dir. FODs get network access in exchange for a pinned output hash, so the closure stays reproducible. outputHash is set to fakeHash for the first build — the runner will print the real hash on failure; a follow-up commit will pin it. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-11 09:00:26 -07:00
python
pyDeps
C1: deploy adelaide-baby-shower-app to ringtail k3s Adds the Adelaide / Heidi / Addie baby shower app — a Django guest splash, raffle picker, and prize-assignment console — on ringtail k3s. Public landing at shower.eblu.me (via fly proxy), tailnet admin at shower.ops.eblu.me. App source: forge.eblu.me/eblume/adelaide-baby-shower-app, wheel-published to the Forgejo Packages PyPI index. Manifests under argocd/manifests/shower/: NFS-backed PVC for /app/media, local-path PVC for SQLite, ExternalSecret pulling DJANGO_SECRET_KEY from 1Password (item "Shower (blumeops)"), Tailscale ProxyGroup ingress. Defense-in-depth for the public surface: - /admin/ blocked at the fly edge except /admin/login/ and /admin/logout/ - shower_auth rate limit on the login path - new fail2ban filter+jail with a per-service shower-deny.conf (nginx-deny action generalized to accept nginx_deny_file) - django-axes (5 / 1h) keyed on (username, ip_address) Plus: Caddy route on indri, Pulumi gandi CNAME, Grafana APM dashboard mirroring docs-apm.json, runbook at how-to/operations/shower-app.md, and a service-versions entry. X-Clacks-Overhead set on the new server block — GNU Terry Pratchett. Build: containers/shower/default.nix uses dockerTools to ship a nixpkgs Python plus a startup wrapper that installs the wheel into /app/data/.venv on first boot and execs gunicorn. Lets the wheel come from forge PyPI without pinning hashes for every transitive dep. Prerequisites tracked in the runbook (not yet executed): - NFS share sifaka:/volume1/shower (manual Synology step) - 1Password item "Shower (blumeops)" with secret-key field - container build via `mise run container-build-and-release shower` - Pulumi dns-up after merge - fly certs add shower.eblu.me Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-11 08:14:12 -07:00
pkgs.cacert
pkgs.tzdata
pkgs.bashInteractive
pkgs.coreutils
];
C1: bake shower wheel into image; wire borgmatic; refine NFS docs Three follow-ups on the shower deployment branch: 1. containers/shower/default.nix now uses buildPythonPackage to install the adelaide-baby-shower-app wheel + its deps at nix build time. The wheel comes from the forge PyPI index with a pinned SRI hash. The entrypoint no longer does pip-at-boot — it just runs migrations, collectstatic, and execs gunicorn. 2. ansible/roles/borgmatic/defaults/main.yml: - Adds shower to borgmatic_k8s_sqlite_dumps (context k3s-ringtail) so /app/data/db.sqlite3 is dumped via kubectl exec on every run. - Adds /Volumes/shower (sifaka SMB mount on indri) to borgmatic_source_directories so prize-photo media gets archived. 3. NFS share docs corrected to match the real on-sifaka pattern: exports allowlist 192.168.1.0/24 + 100.64.0.0/10 with all_squash to admin (matching frigate/paperless/etc.), not "Squash=No mapping". The pod's runAsUser doesn't need to match an on-disk uid because all_squash rewrites every write to admin:users. Also adds a missing service-versions entry for the tailscale container introduced in PR #347 — pre-existing gap surfaced by the container-version-check hook on this commit. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-11 08:37:12 -07:00
extraCommands = ''
C1: deploy adelaide-baby-shower-app to ringtail k3s Adds the Adelaide / Heidi / Addie baby shower app — a Django guest splash, raffle picker, and prize-assignment console — on ringtail k3s. Public landing at shower.eblu.me (via fly proxy), tailnet admin at shower.ops.eblu.me. App source: forge.eblu.me/eblume/adelaide-baby-shower-app, wheel-published to the Forgejo Packages PyPI index. Manifests under argocd/manifests/shower/: NFS-backed PVC for /app/media, local-path PVC for SQLite, ExternalSecret pulling DJANGO_SECRET_KEY from 1Password (item "Shower (blumeops)"), Tailscale ProxyGroup ingress. Defense-in-depth for the public surface: - /admin/ blocked at the fly edge except /admin/login/ and /admin/logout/ - shower_auth rate limit on the login path - new fail2ban filter+jail with a per-service shower-deny.conf (nginx-deny action generalized to accept nginx_deny_file) - django-axes (5 / 1h) keyed on (username, ip_address) Plus: Caddy route on indri, Pulumi gandi CNAME, Grafana APM dashboard mirroring docs-apm.json, runbook at how-to/operations/shower-app.md, and a service-versions entry. X-Clacks-Overhead set on the new server block — GNU Terry Pratchett. Build: containers/shower/default.nix uses dockerTools to ship a nixpkgs Python plus a startup wrapper that installs the wheel into /app/data/.venv on first boot and execs gunicorn. Lets the wheel come from forge PyPI without pinning hashes for every transitive dep. Prerequisites tracked in the runbook (not yet executed): - NFS share sifaka:/volume1/shower (manual Synology step) - 1Password item "Shower (blumeops)" with secret-key field - container build via `mise run container-build-and-release shower` - Pulumi dns-up after merge - fly certs add shower.eblu.me Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-11 08:14:12 -07:00
mkdir -p app/data app/media tmp
chmod 1777 tmp
C1: bake shower wheel into image; wire borgmatic; refine NFS docs Three follow-ups on the shower deployment branch: 1. containers/shower/default.nix now uses buildPythonPackage to install the adelaide-baby-shower-app wheel + its deps at nix build time. The wheel comes from the forge PyPI index with a pinned SRI hash. The entrypoint no longer does pip-at-boot — it just runs migrations, collectstatic, and execs gunicorn. 2. ansible/roles/borgmatic/defaults/main.yml: - Adds shower to borgmatic_k8s_sqlite_dumps (context k3s-ringtail) so /app/data/db.sqlite3 is dumped via kubectl exec on every run. - Adds /Volumes/shower (sifaka SMB mount on indri) to borgmatic_source_directories so prize-photo media gets archived. 3. NFS share docs corrected to match the real on-sifaka pattern: exports allowlist 192.168.1.0/24 + 100.64.0.0/10 with all_squash to admin (matching frigate/paperless/etc.), not "Squash=No mapping". The pod's runAsUser doesn't need to match an on-disk uid because all_squash rewrites every write to admin:users. Also adds a missing service-versions entry for the tailscale container introduced in PR #347 — pre-existing gap surfaced by the container-version-check hook on this commit. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-11 08:37:12 -07:00
cp ${localSettings} app/local_settings.py
'';
fakeRootCommands = ''
C1: deploy adelaide-baby-shower-app to ringtail k3s Adds the Adelaide / Heidi / Addie baby shower app — a Django guest splash, raffle picker, and prize-assignment console — on ringtail k3s. Public landing at shower.eblu.me (via fly proxy), tailnet admin at shower.ops.eblu.me. App source: forge.eblu.me/eblume/adelaide-baby-shower-app, wheel-published to the Forgejo Packages PyPI index. Manifests under argocd/manifests/shower/: NFS-backed PVC for /app/media, local-path PVC for SQLite, ExternalSecret pulling DJANGO_SECRET_KEY from 1Password (item "Shower (blumeops)"), Tailscale ProxyGroup ingress. Defense-in-depth for the public surface: - /admin/ blocked at the fly edge except /admin/login/ and /admin/logout/ - shower_auth rate limit on the login path - new fail2ban filter+jail with a per-service shower-deny.conf (nginx-deny action generalized to accept nginx_deny_file) - django-axes (5 / 1h) keyed on (username, ip_address) Plus: Caddy route on indri, Pulumi gandi CNAME, Grafana APM dashboard mirroring docs-apm.json, runbook at how-to/operations/shower-app.md, and a service-versions entry. X-Clacks-Overhead set on the new server block — GNU Terry Pratchett. Build: containers/shower/default.nix uses dockerTools to ship a nixpkgs Python plus a startup wrapper that installs the wheel into /app/data/.venv on first boot and execs gunicorn. Lets the wheel come from forge PyPI without pinning hashes for every transitive dep. Prerequisites tracked in the runbook (not yet executed): - NFS share sifaka:/volume1/shower (manual Synology step) - 1Password item "Shower (blumeops)" with secret-key field - container build via `mise run container-build-and-release shower` - Pulumi dns-up after merge - fly certs add shower.eblu.me Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-11 08:14:12 -07:00
chown -R 1000:1000 app
'';
enableFakechroot = true;
config = {
Entrypoint = [ "${entrypoint}" ];
Env = [
"SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"
"TZDIR=${pkgs.tzdata}/share/zoneinfo"
"TZ=America/Los_Angeles"
"TMPDIR=/tmp"
"LANG=C.UTF-8"
"LC_ALL=C.UTF-8"
C1: switch shower container to pip-install FOD The buildPythonPackage approach with `propagatedBuildInputs = [ python.pkgs.django ... ]` doesn't work: 1. nixpkgs python314Packages.django still aliases to Django 4.2 LTS, which doesn't support Python 3.14. 2. django-axes from nixpkgs pulls selenium + browser fonts into its check phase, and the nix sandbox can't provide those (fontconfig errors, then build dep tree collapses). Switching to authentik's FOD pattern instead: a single fixed-output derivation that pip-installs the adelaide-baby-shower-app wheel + every transitive dep from forge PyPI into a target dir. FODs get network access in exchange for a pinned output hash, so the closure stays reproducible. outputHash is set to fakeHash for the first build — the runner will print the real hash on failure; a follow-up commit will pin it. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-11 09:00:26 -07:00
"PYTHONDONTWRITEBYTECODE=1"
C1: deploy adelaide-baby-shower-app to ringtail k3s Adds the Adelaide / Heidi / Addie baby shower app — a Django guest splash, raffle picker, and prize-assignment console — on ringtail k3s. Public landing at shower.eblu.me (via fly proxy), tailnet admin at shower.ops.eblu.me. App source: forge.eblu.me/eblume/adelaide-baby-shower-app, wheel-published to the Forgejo Packages PyPI index. Manifests under argocd/manifests/shower/: NFS-backed PVC for /app/media, local-path PVC for SQLite, ExternalSecret pulling DJANGO_SECRET_KEY from 1Password (item "Shower (blumeops)"), Tailscale ProxyGroup ingress. Defense-in-depth for the public surface: - /admin/ blocked at the fly edge except /admin/login/ and /admin/logout/ - shower_auth rate limit on the login path - new fail2ban filter+jail with a per-service shower-deny.conf (nginx-deny action generalized to accept nginx_deny_file) - django-axes (5 / 1h) keyed on (username, ip_address) Plus: Caddy route on indri, Pulumi gandi CNAME, Grafana APM dashboard mirroring docs-apm.json, runbook at how-to/operations/shower-app.md, and a service-versions entry. X-Clacks-Overhead set on the new server block — GNU Terry Pratchett. Build: containers/shower/default.nix uses dockerTools to ship a nixpkgs Python plus a startup wrapper that installs the wheel into /app/data/.venv on first boot and execs gunicorn. Lets the wheel come from forge PyPI without pinning hashes for every transitive dep. Prerequisites tracked in the runbook (not yet executed): - NFS share sifaka:/volume1/shower (manual Synology step) - 1Password item "Shower (blumeops)" with secret-key field - container build via `mise run container-build-and-release shower` - Pulumi dns-up after merge - fly certs add shower.eblu.me Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-11 08:14:12 -07:00
];
ExposedPorts = {
"8000/tcp" = { };
};
User = "1000";
WorkingDir = "/app";
};
}
Reference in a new issue Copy permalink